US cyber officials warned that a major cyber attack unearthed this week was still continuing and posed a “grave risk” to the government, critical infrastructure and private sector.
The update on the SolarWinds hack is the first time the US has confirmed the scale of the attack and the difficulty involved in finding and removing perpetrators from secure networks.
Thousands of businesses and government agencies may have been exposed after downloading compromised software from SolarWinds, a Texas-based IT group.
But the Cybersecurity and Infrastructure Security Agency said on Thursday that the hackers had gained access to systems using other means than the SolarWinds software.
Cisa said the hackers had “demonstrated sophistication and complex tradecraft in these intrusions” and that it would be “highly complex and challenging” to remove the hackers from compromised systems.
The agency cited a report published by cyber group Volexity detailing attacks by the same hackers against an unnamed US think-tank, including one that used new methods to bypass multi-factor authentication security.
It added that it had “evidence” of “access vectors, other than the SolarWinds Orion platform” which were being investigated.
FireEye, SolarWinds and some US officials have blamed “nation-state” hackers for the breach, which first came to light at the end of last week. Cyber security experts, plus several politicians, have singled out Russian intelligence as the culprit, although Russia has strongly denied any involvement.
“Today’s classified briefing on Russia’s cyber attack left me deeply alarmed, in fact downright scared,” Richard Blumenthal, Democratic senator from Connecticut wrote on Twitter on Wednesday. “Americans deserve to know what’s going on. Declassify what’s known & unknown.”
Cisa warned that removing the hackers from compromised systems would be “highly complex and challenging”.
The agency also confirmed reports that, once inside a victim’s networks, the hackers were able to pose as other accounts and gain privileged access to certain systems, such as email services, travel services and file storage services.
In particular, it said it had seen “adversaries targeting email accounts belonging to key personnel, including IT and incident-response personnel”.
As a result, it warned that “discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures”. It recommended that victims communicate via other channels that have not been exposed in any way.
FireEye said on Wednesday it had identified a kill switch that could stop the attackers from continuing to lurk inside networks in some cases.